The lawmaker said his legislation would give more meaningful assistance to victims of the breach and would require stronger security for information in the future.

by Brandi Bottalico, The Frederick News-Post, MD
/
December 22, 2016

(TNS) -- A Maryland state legislator said he has been “stonewalled” in getting information about a data breach affecting about 1,000 former Frederick County students and will introduce legislation addressing what went wrong.

“If I, as a member of the Maryland General Assembly, cannot get answers, then I cannot imagine how the young adults facing a life of looking over their shoulders must feel,” Del. David E. Vogt III, R-District 4, wrote in a statement his office sent The Frederick News-Post on Wednesday.

He said his legislation would give more meaningful assistance to victims of the breach and would require stronger security for information in the future.

The breach affected about 1,000 former students who attended Frederick County Public Schools between November 2005 and November 2006. Their names, birth dates and Social Security numbers were stolen before 2010.

The list has been visible recently on a website, where someone offered to sell 20,000 Social Security numbers, with the associated birthdays and names. The person posted 1,000 names and numbers as a sample. Many of the 1,000 have been confirmed as former Frederick County students.

The district started investigating the breach in September after getting a tip from a former student whose name is on the list. District representatives have said the investigation needed to be done before the district contacted victims.

Former students identified on the website will be mailed a letter by the end of the week, district spokesman Michael Doerrer said. The letters, which had not been mailed as of 4 p.m. Wednesday, will notify past students they were on the list and offer one year of credit monitoring.

Robert McGinley, who graduated from Walkersville High School in 2011, started a petition online calling for the school system to offer seven years of credit monitoring. The petition, posted at change.org, had more than 500 signatures as of 6 p.m. Wednesday.

McGinley said his name was not listed on the website, but he is friends with many people who were. He wants to know if his information is among the 20,000 identities that the website was offering for sale.

He is drafting a letter to send to Gov. Larry Hogan, along with the petition once it gets 1,000 signatures.

Asked if the district would consider expanding the number of years of credit service it will cover, Doerrer repeated that one year is the industry standard for a data breach.

Former students on the list are starting careers and might not be able to afford their own credit monitoring, which adds up, McGinley said.

“This is a $200 million mistake made by the state,” he said. “People get identity theft monitoring because they did shady stuff online. They didn’t do it because they went to school. ... That’s the main aggravating factor in all this — we just went to school.”

Vogt said in his statement that he plans legislation in the upcoming session requiring responsible organizations to provide up to five years of free identity and credit monitoring services for victims of the FCPS breach and future breaches.

He also will propose removing a requirement that FCPS and other systems transmit students’ personal information to the state if the Maryland State Department of Education “cannot maintain an industry-accepted standard in their information technology systems.”

Frederick County Public Schools said Monday that it is likely that students’ personal information was stolen from a state government computer system, but the education department disputed that.

Vogt said he’s made it a priority to compel the department and Frederick County Public Schools to release relevant information that can point to the origin of the data breach, a rationalization for a several-month delay in notifying victims and the number of students whose information is still being sold online.

“Parents, former students, and concerned citizens are still waiting for answers regarding the FCPS data breach — this legislator included,” his statement says. “The personal information of thousands of Frederick County students continues to be auctioned off in illegal online marketplaces, but the government entities tasked with protecting this information would rather engage in a nontransparent bureaucratic blame-game than admit responsibility and provide citizens with the answers they now need to protect themselves.”

“This situation is immensely serious, and the organizations involved should prioritize what is best for the victims of this crime rather than what is best for the images of their organizations,” he said.

Data breaches and student privacy are a large concern, said Marc Rotenberg, the president and executive director of the Electronic Privacy Information Center, a public interest research center that tracks news and legislation on First Amendment and constitutional issues of privacy.

He said the typical practice after a breach is to notify victims and offer credit monitoring. He thinks the district should do a thorough review of security practices after personal information is compromised.

The subject of student data privacy has been especially important in recent years because schools are under pressure to collect more information, such as behavioral and family information, and make it available to third parties for consulting or research, Rotenberg said. The more that information is shared, the greater the risk it will be compromised, he said.

A Maryland Department of Legislative Services’ audit, released in April 2015, found the school system needs to enhance internal controls and accountability for a number of its financial operations, including procurement, contract monitoring, disbursements, human resources and payroll processing, information system security and food service supplies. The audit found FCPS had not taken steps to properly secure critical computer applications and its network.